Prosody 安全設定

1. 字串 ssl 設定關於 SSL/TLS 安全及加密，以下例子，表示允許用戶自行註冊，啟動 ssl 加密認證，私鑰及證書檔如設定。
   

   [root@kvm8 ~]# grep ^ssl /etc/prosody/prosody.cfg.lua -C4
   allow_registration = true;
   
   -- These are the SSL/TLS-related settings. If you don't want
   -- to use SSL/TLS, you may comment or remove this
   	key = "/etc/pki/tls/private/prosody.key";
   	certificate = "/etc/pki/tls/certs/prosody.crt";
   }
   

2. 以下是設定 virtual host 連線，不使用 SSL/TLS 安全及加密。
   

   [root@kvm8 ~]# grep '\-\-[[:space:]]*ssl =' /etc/prosody/prosody.cfg.lua -B7 -A3
   VirtualHost "deyu.wang"
   	enabled = true -- Remove this line to enable this host
   
   	-- Assign this host a certificate for TLS, otherwise it would use the one
   	-- set in the global section (if any).
   	-- Note that old-style SSL on port 5223 only supports one certificate, and will always
   	-- use the global one.
   --	ssl = {
   --		key = "certs/example.com.key";
   --		certificate = "certs/example.com.crt";
   --	}
   

3. 更改設定後，必須重新啟動 prosody 服務。
   

   [root@kvm8 ~]# /etc/init.d/prosody restart
   Stopping prosody: Stopped
                                                              [  OK  ]
   Starting prosody: Started
                                                              [  OK  ]
   

4. 查看 prosody 服務預設的 ports。
   

   [root@kvm8 ~]# netstat -tlunp | grep lua
   tcp    0    0 0.0.0.0:5269        0.0.0.0:*    LISTEN      28232/lua           
   tcp    0    0 127.0.0.1:5347      0.0.0.0:*    LISTEN      28232/lua           
   tcp    0    0 0.0.0.0:5222        0.0.0.0:*    LISTEN      28232/lua
   

5. 防火牆 iptables 必須開啟 5269,5347,5222 等埠號。